PayPal’s pal

[Dave Birch] There’s been obvious interest in PayPal’s decision to move to hardware-based 2FA and issue Verisign authentication devices to account holders.  The hardware tokens are in the form of keyfobs that display an ever-changing (well, every 30 seconds) one-time password in the form of six digit number. It will cost US$5 for personal PayPal accounts, but will be free for business customers.  The driver for 2FA is clear: research released by IT security firm Sophos in August 2006 found that over 75% of all phishing e-mails target users of PayPal or its parent company eBay.  PayPal spokeswoman Sara Bettencourt told reporters the new device will provide customers with "another layer of protection" so if a fraudulent party got hold of a person’s username and password, they still wouldn’t be able to get into the PayPal account. This is all good, but one must remember that if a newspaper reports "the device is designed to protect customers against fraudulent phishing scams", customers might well here "the device prevents phishing" which (as Digital Identity denizens are well aware) is simply not true.  Token-based 2FA does not prevent man-in-the-middle attacks.

Technorati Tags: business, identity

If you take the trouble to read PayPal’s FAQ it is much more accurate: it says that their 2FA makes "your account more resistant to intrusion", which is entirely true.  But the coverage did make me reflect on some of the discussions at the 2FA session I chaired at RSA Europe.  No-one wants consumers to get into a situation where they have to carry a string of security fobs to carry around.  Nor is it necessarily optimal for one fob (eg, PayPal’s) to become the de facto standard for access to everything from World of Warcraft to Fifth Third Bank (who seem to be the target of 97% of the bank phishes in my inbox).  I would much prefer the "white token" solution, as we used to discuss in the early days of multi-application smart cards, where the customer takes responsibility for stronger authentication and goes any buys (let says) an OATH-compliant USB key which they then register with their bank, their retailers, their MMORGS, their social networks and so forth.

Incidentally, it is not idle speculation to consider how criminals might subvert 2FA to steal money from online bank accounts because they’ve already done it to Nordea, a bank with a long history of using 2FA.  Nordea say that over the last 15 months their customers have been targeted by e-mails (from, the Swedish police believe, Russian organised crime) containing a Trojan.  The e-mail encouraged customers to download a "spam fighting" application which was actually Haxdoor.  This installed a key logger.  The Trojan activated when customers attempted to log in to the Nordea online banking site: customers were redirected to a fake bank site and then asked for 2FA authentication.  The customers were then presented with a notice telling them that the Nordea site was experiencing technical difficulties and could they please log in later on.  Meanwhile, the criminals had logged in to the actual bank account and started transferring money out.  Over a million dollars has been stolen from 250 customer accounts.

2FA is a first step, but it is not the foundation of sustainable digital identity in this form.  We have to move to end-to-end security.  PKI in smart cards, for example. How this might happen is a business issue, of course.  In government, it’s a different matter because tokens can be mandated.  In the U.S. case, the Federal Government’s HSPD-12 migration (which means using PKI, smart cards and biometrics) means adding $15 to $20 to the cost of a laptop.  This doesn’t sound like much to me.  But then I’m not a banker.

My opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public.
[posted with ecto]